Privacy Policy

Last updated: February 15, 2026

Stratum ("we", "us", "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, and share information when you use our platform including Shipr, Quote, Customers, and Orders applications (collectively, the "Service").

1. Information We Collect

Account Information

When you create an account, we collect:

• Name and email address
• Organization/company name
• Password (stored as a bcrypt hash — we never store plaintext passwords)

Order and Shipping Data

When you use Shipr, we process:

• Recipient names and shipping addresses
• Order details (items, quantities, box dimensions, weights)
• Shipment tracking information
• Packing slip content

Third-Party API Credentials

When you connect integrations (e.g., ShipStation), we store:

• API keys and secret keys
• These are encrypted at rest using AES-256 encryption
• Encryption keys are stored separately from the encrypted data

Usage Data

We automatically collect:

• Pages visited and features used
• Browser type and operating system
• IP address (for security and rate limiting)
• Timestamps of account activity

Payment Information

Payment processing is handled entirely by Stripe. We do not store credit card numbers, CVVs, or bank account details. We receive only:

• Subscription status and plan type
• Stripe customer ID (for managing your subscription)
• Last four digits of your card (for display in your billing settings)

2. How We Use Your Information

3. Data Sharing

We do not sell your personal information. We share data only with:

• Stripe — Payment processing (Stripe Privacy Policy)
• ShipStation — When you export orders via your connected API key. Data is sent directly to ShipStation's API using your credentials.
• Neon — Database hosting (Neon Privacy Policy)
• Vercel — Application hosting (Vercel Privacy Policy)
• Resend — Transactional email delivery (Resend Privacy Policy)
• Ably — Real-time collaboration features (Ably Privacy Policy)

We may also disclose information if required by law, legal process, or to protect rights and safety.

4. Data Security

We implement industry-standard security measures:

• All data in transit is encrypted via TLS/HTTPS
• Third-party API keys are encrypted at rest with AES-256
• Passwords are hashed with bcrypt (12 rounds)
• Authentication uses short-lived JWT tokens with secure refresh token rotation
• Account lockout after repeated failed login attempts
• All database queries are scoped to your organization (multi-tenant isolation)

5. Cookies

We use the following cookies:

We do not use advertising or third-party tracking cookies.

6. Data Retention

We retain your data for as long as your account is active. When you delete your account:

• Account data is deleted within 30 days
• Order and shipping data is deleted within 30 days
• Encrypted API credentials are deleted immediately
• Authentication audit logs may be retained for up to 90 days for security purposes
• Backup copies may persist for up to 30 additional days

7. Your Rights

You have the right to:

• Access your personal data
• Correct inaccurate data
• Delete your account and data
• Export your data in a machine-readable format
• Object to processing of your data

To exercise these rights, contact [email protected].

8. Children's Privacy

The Service is not intended for children under 16. We do not knowingly collect personal information from children under 16.

9. International Users

Our Service is hosted in the United States. If you access the Service from outside the US, your data will be transferred to and processed in the US. By using the Service, you consent to this transfer.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or through the Service. The "Last updated" date at the top reflects the most recent revision.

11. Contact

For questions or concerns about this Privacy Policy, contact us at:

[email protected]